Go to page

Level 36

SRP uses Designated File Types list to block files by extension. For example, you can block CHM files (and many other) outside 'C:\Windows' and C:\Program FIles' folder without blocking the executable hh.exe that can open them. You can also directly block shortcuts (LNK files) etc. So, the happy clicker cannot be fooled by the file with the spoofed extension, because it will be blocked.
Furthermore, you can block many vulnerable executables from Windows folder without breaking Windows Updates and system scheduled tasks, because they are usually blocked by SRP only as standard user and allowed to run with higher rights.
Generally SRP configuration is simpler from WD Application Control.
SRP can be applied in Enterprises networks, but to get the similar security level as in the case of WD Application Control, SRP has to be very restrictive, so less usable.
.

Why nobody talks about more important factor, that most home users are "click happy" and don't pay attention to any security alerts and if some comes up or "in their face" like Smartscreen alert, they just click yes to get it faster out of their way without reading any information what its for. If family have no one to ask computer help, they have to call someone tech like. And most people 50+ who didn't born with tablets and pc's in their hands, will not do manual way seeking for problem help in Google or Malwaretips example. I can set SRP for my other 5+ family windows systems, but if I wasn't there for them, default-deny would NOT be the best security solution.

All the above is true. I think that you understand the home user as an inexperienced or average user. I did not mean it. The home user is the user that has the computer connected to the home network under the NAT router. That is a big difference as compared to the user in the Enterprise network.I do not recommend configuring SRP (with or without Hard_Configurator) by inexperienced users. As you noticed, even already configured SRP setup requires supervising by an experienced user, from time to time.

What are they interested in?
The right-click option in Explorer to force checking by SmartScreen ('Run As SmartScreen' or 'Run By SmartScreen') depends only on SmartScreen settings. If SmartScreen for applications is turned on then this feature is fully functional (even when Defender is completely turned off).
SmartScreen is independent of the "block at first sight" feature.

Level 36

I found the thread mentioned by @shmu26:AV-Comparatives: Real-World Protection Test February-June 2018
I like to read @itman threads because of interesting links to source articles. But it seems that he is not the expert in SRP. He is right that Hard_Configurator is dependent on SRP, but it is not true that there are many such third-party solutions. In fact, as far I know, except Hard_Configurator there is not any GUI application for Windows 7+, based on default-deny SRP. There is non-GUI Simple Software-Restriction Policy application which is worth to be mentioned. There are some applications based on default allow SRP (like Cryptoprevent).
Furthermore, Hard_Configurator is semi-portable. One can simply copy the Hard_Configurator folder from one computer to another (with the same processor architecture) at the location C:\Windows\Hard_Configurator, and it will be full-functional. The strict folder location is required to adopt forced SmartScreen, so Hard_Configurator cannot be fully portable.
Hard_Configurator and ConfigureDefender are available not only on GitHub, but also on Softpedia. They are also whitelisted by Microsoft, Symantec, Avast, and Emsisoft (I sent installers to analysis). They are also whitelisted by Avast reputation cloud which is activated via Aggressive Hardened Mode. So, they have gained some positive reputation.
The open question that bothers me from the 2016 year (when Hard_Configurator was created), is how long Microsoft will keep SRP available. In fact, SRP was not actively developed for a few last years. The last improvement I noticed was PowerShell Constrained Language Mode integrated with default-deny SRP settings. Microsoft can throw it out next year or after 5 years (or later) - that will depend on how SRP is popular in Enterprises and how many new protection features will be transferred from Windows Enterprise edition to Pro edition.

Post edited: Microsoft can abandon it ---> Microsoft can throw it out.

Level 27

With the caveat that sometimes, it might be impossible to do so. Case in point, malware drops Powershell v2 on your PC. Renames it or file downloaded under a different name. It then moves it to a folder your not monitoring .exe startup from; e.g. C:\Program Files, etc..
how can SRP handle it?

Level 36

With the caveat that sometimes, it might be impossible to do so. Case in point, malware drops Powershell v2 on your PC. Renames it or file downloaded under a different name. It then moves it to a folder your not monitoring .exe startup from; e.g. C:\Program Files, etc..
how can srp handle it? this ITman is an eset user i talk to him soemtiems in eset froum. he is very very smart and paranoid xd

PowerShell v2 will not be dropped and executed when using Hard_Configurator settings (computer in the home network with NAT router), except when the user intentionally allows running the malware (ignoring SmartScreen) or uses vulnerable software (easily exploited). Even then, the malware will be usually blocked/mitigated, except some sophisticated samples or when the user will ignore UAC alert to allow copying files to Program Files.

Level 36

People on Wilderssecurity forum asked about blocking by Hard_Configurator settings the BAT file located somewhere in the Userspace (XXXX is a UserProfile name):

Code:

START "" C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe

AV-Comparatives: Real-World Protection Test February-June 2018
.
Of course, it will be blocked, because Hard_Configurator default settings (Recommended SRP) block BAT files (and many others) in the Userspace. So, maybe the more clever SmartScreen bypass would be avoiding BAT files and run the commandline:
cmd /c START "" C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe
or
PowerShell -command start C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe
.
But then, the executable knownmalicious.exe will be blocked too, because Hard_Configurator default settings (Recommended SRP) block EXE files in the Userspace.
Anyway, the user can run the file knownmalicious.exe when using "Run As SmartScreen" via the Explorer right-click menu, but then it will be checked by SmartScreen.

Level 36

I found some issues with recommended by Microsoft the MS Office hardening tweaks. Those tweaks are adopted in Hard_Configurator (<Documents Anti-Exploit>) and SysHardener. They should block VBA Macros, DDE, OLE, and ActiveX in MS Office documents (MS Office 2007 up to MS Office 2016).
The DDE mitigations sources:

The issue I found is related to DDE in Excel (mitigations worked in Word). The tweaks from the first link did not work for my Office 2010 (in VirtualBox) until I manually installed the concrete update (excel2010-kb4011660-fullfile-x86-glb.exe) adviced in the second link. It seems that the required updates are not always offered via Windows Updates.
How to check if DDE is blocked in Excel? It is very simple.

Create the blank workbook.

In the first cell (A1) insert (copy/paste) the formula: =cmd|'/c calc.exe'!A1

If this formula will open from Excel the calculator application then DDE is not blocked.

Also, you can save this workbook, close Excel and open the workbook from Explorer to test DDE.

Edit
When using custom Hard_Configurator settings, please check first if cmd.exe is unblocked (<Block Sponsors>).

So the above can be the right example for others.
But, blocking completely DDE in Excel is possible only via reg tweak, by setting (12.0 is for MS Office 2007, 14.0 for MS Office 2010, 15.0 for MS Office 2013, 16.0 for MS Office 2016):
HKEY_CURRENT_USER\Software\Microsoft\14.0\Excel\Security
DisableDDEServerLaunch = 1
HKEY_CURRENT_USER\Software\Microsoft\14.0\Excel\Security
DisableDDEServerLookup = 1
By default, those values are set to 0.

Level 72

Question: when I was using Defender with ASR, I could still use my Word add-ons.
But right now I have a 3rd party AV, and if I enable "Documents anti-exploit", I get error messages when I launch Word.
Is there a certain setting or exception that will help?

Level 36

Question: when I was using Defender with ASR, I could still use my Word add-ons.
But right now I have a 3rd party AV, and if I enable "Documents anti-exploit", I get error messages when I launch Word.
Is there a certain setting or exception that will help?

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.